NY State First to Enact Tough Bank Cybersecurity Rules

Currently 47 states, the District of Columbia, Virgin Islands and Puerto Rico have cybersecurity laws. Most of these laws require companies to notify customers of cybersecurity breaches. These are considered notice laws. If a company like Target suffers a cyberhacking event, the company must give notice to those effected. Usually that notice must be given within a specified period of time.

New York is now poised to really raise the bar. A proposal by the New York Department of Financial Services will require banks, money service businesses and insurers to take specific steps to prevent cybersecurity events. In other words, New York is moving from a notice rule to one focused on prevention.

To date, the feds have taken the lead on cybersecurity but even those efforts are rather limited. The Defense Department has the broadest rules followed by the SEC. These agencies have limited jurisdiction and therefore mostly impact defense contractors, military vendors and stockbrokers. The Office of the Comptroller of the Currency (OCC) and FDIC have issued guidance to banks but there are no formal rules or enforcement mechanism.

Under the New York proposal, covered institutions must appoint a chief information security officer, have a detailed plan to protect customer data and funds and even insure that their third party vendors follow similar protocols. The law also requires periodic “vulnerability assessments” and yearly reviews.

The New York cybersecurity rule was probably prompted by the recent hack of JPMorgan Chase in 2014. In that incident, the records of 83 million customers were accessed by hackers.

In announcing the proposed New York cybersecurity rules, Governor Andrew Cuomo said, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state sponsored organizations, global terrorist networks and other criminal enterprises. This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible.”

Whistleblower Awards for Bank and Cybersecurity Breaches

The New York proposals can only be enforced by the state. There is no whistleblower award provision. Those proposals, however, largely file the guidance issued by the OCC, FDIC and Federal Reserve.

A bank that fails to protect customer accounts or data threatens the financial stability of the bank. Under the Financial Institutions Reform Recovery and Enforcement Act (FIRREA), any act that threatens the financial stability of the bank can give rise to a $1.6 million award. To qualify for an award, an insider must file a declaration with the Justice Department.

In the coming months, we anticipate seeing more bank insiders and IT professionals coming forward. Already we have seen several violations by defense contractors and bank compliance officials tell us that banks are not doing nearly enough to protect against cybersecurity attacks.

Under the FIRREA law, there is a good chance that we can file a claim for you and protect your identity from being disclosed. Even though the federal guidance is not in rule format, the banks can still be liable if they fail act reasonably on cyber security matters.

Interested in learning more? Visit our cybersecurity whistleblower page or contact attorney Brian Mahany at *protected email* or by telephone at (414) 704-6731 (direct). Not quite ready to call? Please know that all inquiries are protected by the attorney – client privilege and kept confidential. There are also no legal fees or costs unless we collect an award for you. In the last 5 years our whistleblower clients have received over $100 million.